What is a Man in the Browser Attack?

A man in the browser attack is an application that is capable of stealing login credentials, account numbers, and various other types of financial information. The attack combines the use of Trojan horses with a unique phishing approach to insinuate a window that overlays the browser on a given computer. The presence of the Trojan horse is transparent to the user, as it does not interfere with the normal use of the browser to visit web sites and engage in transactions on those sites.

These attacks are designed to capture confidential information that can be used to the advantage of the entity that launched the attack. As part of the function, the man in the browser process begins with the establishment of the Trojan on the hard drive. The Trojan embeds in a file and is often hard to isolate. Once the Trojan is in place, the virus launches a transparent overlay on the browser that is unlikely to be detected.

Unlike more traditional phishing methods that employ links in the body of emails to direct users to fake web sites and prompt them to enter secure data, the man in the browser simply captures data as the user enters it. The user is completely unaware of that the data is being hijacked, since he or she is interacting with a legitimate site. The attack does not interfere with the transaction in any way at this point.

Once the data is captured, the entity that created and distributed the attack receives the collection of security codes, credit card numbers, or bank account login information and can begin to use it for a wide range of purposes. The victim may not be aware of the problem until several credit cards have been used or the balance in the checking account begins to drop unexpectedly.

Part of the frustration with a man in the browser attack is that the bug is very hard to detect and even harder to remove from the system. Unlike many other forms on intrusive viruses, the invader operates between the browser security protocols and the input of the user. This means that standard security measures normally will not even reveal the presence of the virus.